DROP (Don't Route Or Peer) is an advisory "drop all traffic" list. DROP is a tiny subset of the SBL designed for use by firewalls and routing equipment. The DROP list will not include any IP space allocated to a legitimate network and reassigned - even if reassigned to the proverbial "spammers from hell". DROP includes netblocks that are hijacked or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). These are direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and "portable allocations" (known as "PI") from RIPE.

Spamhaus strongly recommends the use of DROP by tier-1 and backbone networks. Simply consulting the DROP list's webpage when someone asks you to route some suspicious IPs can help avoid picking up customers you would just as soon not have on your network.

What is EDROP?

EDROP is an extended version of the DROP list that will include netblocks controlled by professional spamming operations and cyber criminals that are not directly allocated. This means that EDROP only includes netblocks that are sub-allocations. Direct allocations will be listed in DROP only.

Spamhaus strongly recommends the use of EDROP by tier-1 and backbone networks. Simply consulting the DROP list's webpage when someone asks you to route some suspicious IPs can help avoid picking up customers you would just as soon not have on your network.

Who should use the DROP / EDROP list?

Anyone or anyplace that has the ability to block or filter IP address ranges on their network.

The DROP list is also open for all to download and use, the is no fee for usage. The only things we require are that:

The DROP list should not be imported into your network filters and forgotten about. Please check regularly to ensure you have the latest version of the DROP list. This should be automated.

The DROP list data should not be downloaded from our website more than once per hour, nor less frequently than once per day.

Most of the other Spamhaus data-sets (SBL, XBL, PBL) are designed for SMTP connection time filtering. The DROP list is small in comparison and is not a replacement. It can be used to further secure ones network from those attempting to attack it or harm ones users.

For Internet Service Providers (ISPs) or organisations that can run the Border Gateway Protocol (BGP) on their border routers, Spamhaus offers DROP and EDROP along with its botnet C&C list (BGPCC) as BGP feed, with which any networking device peer using the BGP procotol. More information about this service can be found on the Spamhaus BGPf page.

Are DROP and EDROP also available via DNS lookups ?

All the networks listed in DROP and EDROP are also listed on the SBL blocking list, and therefore SBL and ZEN lookups return a listed status for those networks.
Since 1st June 2016, the 127.0.0.9 code is returned in addition to the standard 127.0.0.2 return code of the SBL for these networks. Therefore, a 127.0.0.9 return code indicates listing in DROP or in EDROP.

The DROP list is free for any use, how can it be any good?

The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage. Other anti-spam data Spamhaus produces is also offered free-of-charge to most of the world's internet users via DNSBL lookups. Though we do ask larger users (corporations, universities, governments) who require high-usage or local zones to support our project by using our Datafeed service. Those who resell a product based on this data are also asked to support The Spamhaus Project.

Spamhaus believes that due to the vital nature of the DROP list data, it will be available free-of-charge to anyplace, regardless of size or business type, to protect internet users. If one wishes to redistribute the plain text feeds that you name Spamhaus as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.

Do also follow our other wishes on how often to fetch the file and try not to leave an older version of the data on the web where people may think it is usable. The DROP lists are dynamic, using older versions is a bad idea.

How often should my system fetch the DROP / EDROP list?

Please DO NOT auto-fetch the DROP / EDROP list more than once per hour!

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled from the Spamhaus website.

What are "hijacked netblocks"?

A "hijacked netblock" is a netblock brought back from the dead, often by a spammer, also called a "zombie netblock." (The term "zombie" later became widely applied to the infected PC drones in a botnet.) The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of human engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.

Oh, and Autonomous Systems are hijacked too. Old abandoned ASNs are taken by a spammer or spammer supplier to announce various IP ranges. So it's quite possible to have a hijacked netblock advertised by a hijacked ASN.

Originally a few crufty geeks found these ranges for cheap digs. While their ownership claims were unethical, they did not use the hijacked networks for abuse. All that changed when spammers entered the picture. Then the hijack game became dominated by spammers (and some script kiddies) and it is now wise to accept no packets, but certainly not e-mail, from zombie networks.

Hijacked netblocks can be found in ranges assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others. Restoring proper ownership of a hijacked netblock means finding the original owner (often a dissolved company) and jumping through RIR hoops. It's a slow and laborious process, important but not suitable to stopping today's spam.

The peering/transit arrangements for these netblocks changes very quickly. Spamhaus leaves the entire block listed in SBL, categorized under the RIR, and then provides additional pointer records for networks carrying the netblocks's traffic. While such records are often only a single router's IP address (/32), the record will indicate the greater problem (and the problem is much greater than a single IP). Spamhaus may also provide additional SBL records within a hijacked netblock as various SWiPs or single IPs within the netblock are assigned to different spammers. These, too, may serve as pointers to the upstream, as the block is sometimes SWiPed as portable subnets with each spammer left to find their own transit. Many of these hijacked netblocks find their way into a special ROKSO record.

Spamhaus lists entire hijacked networks. Some of them are known to be controlled by particular a spammer and are thus listed under that spammer's ROKSO records. Those that are not assigned to another spammer may be assigned to this record. So, it is suggested that anyone searching for hijacked netblocks under their aegis not only check this record's Current SBL Listings, but also check under their domain name and RIR via the SBL search function.

How about deploying DROP / EDROP on my router?

Spamhaus offers DROP and EDROP along with its botnet C&C list (BGPCC) as BGP feed, with which any networking device peer using the BGP procotol. More information about this service can be found on the Spamhaus BGPf page.

If your router is a Cisco device and you don't have BGP support on it (or don't want to use it), you can also use the script developed by Marco d'Itri:

For those who use PC routers, here's a little Perl script to turn the CIDR blocks in the DROP list into Unix route commands. Different versions of route have slightly different syntax, so you need to pick the one that works with your version. Some versions of route take CIDR notation, others require netmasks, so un-comment the one that works for you. (Note the obvious perl one-liner to turn a bit number into a dotted quad.)

To make day-to-day changes, use -o oldfile where oldfile is the previous version, and it'll give you just route delete and route add for the changes. This script is set up to fetch the current list and update once a day, which is frequent enough for nearly all networks, given the slow day-to-day churn and very conservative listing policy of the DROP list.